IBM’s Container Service: Container Security, Applied

Share this post:

Republished from the Integrated{code} blog

It’s no surprise to anyone that container security is still a hotly debated and discussed topic across the cloud ecosystem. Much of the debate hinges on an understanding that the full benefit of container technologies is only realized in a container native bare metal deployment, but many implementations are hindered from this by a “safety net” of understood and vetted VM technology. Everyone from developers to IT execs to operators and admins want to know that a true container native future for their cloud virtualization strategy is a “safe bet” that won’t come back to bite them (and their customers, data, critical business processes..) in the end.

To that end, you can easily find blog posts, tech journal write-ups, conference talks, and more recently, a couple highly detailed “best practice” documents on container security topics. As a personal point of reference, a container security talk I gave at Docker London in July received over 8000 views on slideshare in just a few weeks!

One recent addition to the pile of resources on this hot security topic was published recently by The New Stack, a popular site for tech journalism on cloud computing topics, not to mention a regular producer of podcasts, interviews, and pancakes too, in case you visit any popular industry conference these days. The New Stack invited Bryan Cantrill, Joyent’s CTO, recently to discuss the state of container security on a podcast titled “Security Must be a Top Priority with Container Deployments.”

I’ve always thoroughly enjoyed Bryan’s engaging style and his thoughts on containers and this podcast does not disappoint. However, at minute 16:00 Bryan stated:

Certainly there is no cloud offering today that allows for two different tenants to run in two different containers on the same host that are mutually untrusted.Bryan Cantrill, Chief Technology Officer at Joyent

This caught my attention because this model, based on the Linux kernel isolation primitives as a substrate, is exactly what IBM’s own container cloud as a service is built upon. We built our cloud container native bare metal because, while much of the industry is busy opining about container security problems, we see it as our mission to jump in and help fix them. Bluemix, therefore, is our flagship demonstration that a container native bare metal cloud can be built.

We believe that Linux kernel-based isolation, along with the layers of security capabilities offered by Docker and the Linux ecosystem, some of which was contributed by IBM, are capable of providing this multi-tenant isolation for bare metal containers as required by our customers. We agree there is still work to do, but we are successfully operating a managed containers-as-a-service offering using these components, with open source contributions from IBM including:

…and many bug fixes and configured environmental protections too numerous to list. These open source contributions are in addition to technologies we are developing and delivering via our Bluemix container offering such as:

…and more to come. That isn’t to say that we don’t understand the continued need for improvement and development of further security enhancements in the Linux substrate, but we believe and are committed to continuing contributions to this stack of open source layers which are providing a performant and secure isolation layer for what we all call “Linux containers”, and we are offering it as a service to our IBM Cloud customers via Bluemix.

We are also continuing to look at new technologies like the lightweight virtualization work at the OCI/runc layer, and even showed a proof-of-concept at DockerCon Seattle of one such pluggable-runc on our POWER platform with hardware assisted lightweight virtualization. We will continue delivering what we believe is of most value to our customers and provides them with a secure and appropriately isolated tenant environment based on Linux kernel container technologies.

If you haven’t had a chance to try our our Bluemix container cloud offering, note that you can easily get a free-tier 30-day trial account. The Docker client API is fully supported as well as container groups, private registry as noted above, as well as our entire catalog of cloud services, including logging, monitoring, public IP routing, and many other features.

And thanks, Bryan, for providing a launchpad for me to show off what IBM is achieving in the cloud today with our managed bare metal container cloud offering. Still highly respect your thoughts in this area, but I wanted to take the opportunity to say that one company has gone ahead and said “I’ll do it first!”

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Compute Services stories

IBM Cloud Foundry Enterprise Environment (Experimental)

We're delighted to be working on a new offering in the IBM Cloud Foundry compute, called the Cloud Foundry Enterprise Environment. This offering provides a version of Cloud Foundry deployed into a customer's IBM Cloud account in any of our worldwide regions.

Continue reading

IBM Cloud App ID Technical White Paper – Now Available

We are happy to share that we have just published a technical white paper about building user authentication into your apps using IBM Cloud App ID. If you are deciding how to secure your applications with user authentication, this white paper provides a guide to the App ID service, and how to leverage it's capabilities.

Continue reading

From Concept to Multi-Tenancy in Hours with Zerto on IBM Cloud

Recently, we were having a routine call with one of our partners, a managed services company, based out of the United Kingdom. During the dying minutes of the call, the partner inquisitively inquired about a multi-tenant solution because it would open up another avenue for potential customers. Their current customers are beginning to understand the […]

Continue reading